Thanks for your question. Rest assured that I did not take it as accusatory or antagonistic.
The short answer is that as with any software, if you don’t have the time, inclination and expertise to inspect the software yourself, you have to place your trust somewhere. Personally, I would typically trust the wider community of open source contributors and reviewers more than a closed-source company product but a lot of people place their full trust in companies like Facebook and Google so everyone has different opinions.
The longer answer is probably best read in conjunction with the existing page about this topic (if you haven’t already done this): https://www.kee.pm/open-source/
c) I can keep my current ability to sync my vault over a cloud service but also back it up locally
Yes, Kee Vault does this, although currently the local back up process is manual. I’m interested in feedback as to whether it would be worthwhile developing an automatic solution so do let me know if you go down this route and then find that this would be beneficial in future.
it might (?) address the fact that I find the KeePass global hotkey doesn’t always work.
Kee doesn’t interact with the global hotkey at all. It can’t automatically fill 100% of sign-in forms but it works for the vast majority so you should find it’s a big improvement overall.
I have no doubt that these permissions are unavoidable in order for the Kee extension to work, but it still involves placing an awful lot of trust in the product/developer
Yeah, browser extensions historically had full access to everything in your browser and although this situation has been improved in recent years, there is still room for them to make the permissions more granular. That said, and I say this in full knowledge that there are exceptions to this rule (particularly in business environments), full access to the web browser is typically of a lower concern than full access to the password database. So in the case of password management software, I’m not sure the relatively extensive permissions required compared to simpler browser extensions should be a huge worry.
I just don’t know if the same can be said of Kee (& Kee Vault). It’s one thing to say this is open-source, so could be thoroughly checked over by anyone, and quite another thing to say that has actually happened and there are audit details to prove it.
KeePass has certainly had more attention (funding) for security audits than any of the software I’ve released. Both KeePassRPC and Kee Vault benefit from this attention because we can be confident that the underlying method for protecting (encrypting) the data in your database/vault is secure. They can’t claim an independent person has verified there are no malicious backdoors, etc. although neither can a thorough security audit unless it is repeated with each release (they never are).
Many of the components that are unique to Kee Vault, Kee and KeePassRPC have also had many years of attention from others with security knowledge. I’m always careful to vet all code that gets included in all of this software and keep dependencies upon 3rd party code to a minimum, all of which helps to reduce the risk of bugs being introduced.
There is a lot more detail around the security of Kee, Kee Vault and KeePassRPC on this forum, although it may not all be written in an approachable manner for a lay person. If there’s any specific questions you can’t find the answer to, please let me know and I’ll try to help.
Likewise, when having to install a KeePass plugin and then authorise access to this third-party software
The nature of KeePass (and the underlying technology it’s built on) is such that it’s not possible to enable granular permissions for individual plugins. So again you have to place your trust in someone other than Dominik (creator of KeePass) - in this case, me. If you look around you should be able to find indications that people have been monitoring the behaviour of the KeePassRPC plugin for a long time - detecting things such as the connection to a web server to download the list of current public suffixes for domain names. Depending on your level of paranoia, this may be sufficient indication that existing or future bad behaviour will be noticed and queried.
On the topic of security flaws or backdoors being introduced after the most recent point that someone reviewed the source code or behaviour of the software, there are a few mitigating factors:
For Kee, Mozilla reviews the source code of each submission for malicious behaviour and the latest version of the browser extension can be inspected once downloaded - thus any deviation from the public source code can be fairly easily spotted.
For Kee Vault, automated systems convert the public source code into the application that gets delivered to your browser so again, multiple systems would need to be compromised in order for this to become a valid risk (and in doing so, this would be visible publicly). There’s still more to do in this area and I’m really looking forward to some forthcoming web technologies that will allow Kee Vault to offer a provable chain of trust right back to the source code in a way that is useful for non technical people.
For KeePassRPC, there’s not a huge amount that can be done to verify the integrity of the plgx file beyond trusting that someone other than me has built the file from the source code and verified that the output is the same as the one I have added to the GitHub release. Unfortunately the method of creating a plgx is complex enough that there aren’t any truly independent services that can offer automatic verification but it’s something I always keep an eye on in case the situation improves in future.